Power Grids Increasingly Vulnerable to Malware

Did you know malware and cyber attacks could have an impact on the core needs of life? In this case it is the energy we use to keep our lights on. As information technology has improved over the years, so too have our ability to integrate IT with infrastructure. This has had benefits of increased service quality, streamlined operations management, and more accurate real time data. These benefits of IT integrations have come with the price of vulnerability though. In more recent decades cyber criminals have developed the ability to disrupt infrastructure and critical services reliant on computers for management. This means almost all core services and infrastructure that allows a city to operate. The cyber criminals can at times be rogue groups on the Darknet, and it can sometimes be it can be state actors. Power grids have been disrupted in the past few years by malware, with the most recent cases from the Ukraine . In both 2015 and 2016, the Ukrainian energy grid was hacked. This latest attack to the Ukrainian power grid in December of 2016 was different though.

Two cyber security firms have concluded that a malware platform was behind the attack. Which was more advanced that previous industrial system malware attacks. In the past malware that specifically targeted industrial systems were: BlackEnergy, Havex, and Stuxnet. The latest malware, known as Industroyer/Crash Override, is a massive threat to energy infrastructure worldwide. To understand why though, it helps to know what past malware cyber weapons were and the damage they caused.

Industrial Control Cyber-weapons: Past & Present

The past two decades have seen the rapid rise of the internet. As businesses, people, and governments have come to rely on the internet, malicious actors have developed weapons for disruption. This disruption often means outright sabotage. The cyber weapons developed for the disruption of a country’s operations have been very advanced and few. The top three have been BlackEnergy, Havex, and Stuxnet. The uniting factor with these types of malware is that they target organizations who use industrial control system (ICS) or supervisory control applications.

2010 | Stuxnet

One of the most well known cyber weapons, Stuxnet, allegedly was started as a project in 2005. Stuxnet is also the malware that many attribute the compromise of Iran’s nuclear program too in January of 2010. Some even refer to it as the world’s first cyber weapon. This is because it was the first cyber weapon that did more than steal information from targeted networks. Instead stuxnet cause crippling damage to the equipment and systems the targeted network controlled. Stuxnet targeted programmable logic controllers (PLC) specifically, which are often responsible for automated machinery. It was able to target these PLCs because of four zero-day exploits in Windows systems. Stuxnet’s reach went far beyond Iran and affected nearly 200,000 computers. Eventually, the worm inspired more sophisticated attacks that would merge the cyber and physical worlds.

2014 | BlackEnergy 1, 2, & 3

The cyber weapon known as BlackEnergy was responsible for the 2015 attack to the Ukraine’s energy grid; a more advanced version at least. BlackEnergy started as a simple trojan that had the ability to launch DDoS attacks, but over time it was upgraded twice. In each upgrade there was not just an attachment of new features, instead the entire code was rewritten twice. Each time there was an “upgrade” BlackEnergy would come with a new set of more damaging capabilities. Security firm McAfee has stated that the latest version is likely a “go-to” for both cyber criminals and state-sponsored actors.

2014 | Havex

This malware, which has been classified as a remote access trojan (RAT) program targeted energy sector companies and disrupted their physical operations causing high costs for restoring operations. After the original attack on energy companies the cyber criminals made a more robust version that targeted any organizations using ICS applications. It even managed to infect the websites of three software providers and use them as watering holes to attack other companies.

2017 | Industroyer

Back to the present time, security experts recently at the 2017 black hat conference have stated that Industroyer marks a significant evolution in cyber weaponry aimed at ICS. This is because Industroyer was specifically designed for the sabotage of power grids. Right now any group that gets a hold of the malware could repurpose it to attack the power grid of any nation on the planet right now. Industroyer was not designed to be a general purpose attack though, as it was made specifically to exploit Siemen’s ICS products. Siemens has stated they have patched the vulnerability. The other unique aspect of Industroyer is that it uses no zero-day exploits either unlike previous cyber weapons.

Currently, power grids are within capacity to defend against this cyber weapon. However, even wealthy nations, such as the United States, continue to have extremely vulnerable power grids. The vulnerability is even worse than most companies, where the US power grid can be overcome by even the most inexpensive of attacks. An attack from this very sophisticated malware, Industroyer, could bring the United States to a grinding halt.

Investment needs to be made into proper cyber security for power grids globally. However this will prove to be a challenge because of the complexity of ownership schemes in different countries. In the United States for example ownership of the grid is different state to state. At times it can be different city to city. This can be a mix of private owners or quasi-private public arrangements. In either case the political and regulatory hurdles must be overcome as soon as possible to safeguard the cyber security of the power grid.

Isaac Kohen started his career in quantitative finance developing complex trading algorithms for a major Wall Street hedge fund. During his tenure at Wall Street and his subsequent experience securing highly sensitive data for large multi-national conglomerates, he identified the market need for a comprehensive insider threat and data loss prevention solution. And so, Teramind was born. Isaac is a well-recognized thought leader in the security industry with many of his articles published in Forbes, Inc, Tripwire, and CSO Online. Read more industry thought leadership articles on Isaac's LinkedIn.